On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.
The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.
CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.
This update is scheduled for availability in Q3 of 2017.
HITRUST CSF v8.1
HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.
HITRUST CSF v9
The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.
The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.
HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.
HITRUST CSF v9 is scheduled to be available in July 2017.
CSF Assurance Program v9
The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.
This program is scheduled for availability in Q3 2017.
Addressing Your HITRUST Needs
Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.